Posted
by
timothyon Tuesday July 29, 2014 @12:55PM
from the you-could-use-postcards-scanned-by-an-arduino dept.

Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?

My organization uses 2FA with a standard that's compatible with Google Authenticator and a Yubikey (OATH: http://en.wikipedia.org/wiki/I... [wikipedia.org] and http://www.nongnu.org/oath-too... [nongnu.org]). People with smartphones could use Google Authenticator to obtain auth tokens; an inexpensive ($25 per person) yubikey provides a very easy way to enter tokens without much hassle; and the open-source oathtool can generate tokens for other uses (i.e. add a "paper" authentication device with a long list of sequential tokens).

For software tokens, Google Authenticator has apps for Android, iOS, and BlackBerry. They implement the TOTP standard, so any compatible code-generating software (such as the J2ME app I have on my non-smartphone) will work with it.

They also have a PAM module [google.com] that works with SSH (or anything else that uses PAM). I've used it before, and it works great.

For reference, neither the apps nor the PAM module depend in any way on Google services, they don't send any data to Google, and will work perfectly happily in a totally offline environment (assuming all the servers and client apps have synchronized clocks).